FERPA Expert Witness
Finding a FERPA expert witness includes assessing the specialized knowledge of the individual. A FERPA Expert should know about the history of FERPA and how educational institutions should conduct assessments to comply and prevent unauthorized access to PII.
FERPA (The Family Educational Rights and Privacy Act of 1974) protects the use and disclosure of student educational records. FERPA protects students’ right to privacy and accuracy of education records but the student and family’s right to ensure accuracy and privacy. FERPA applies to all “education programs,” meaning schools, including elementary schools, middle schools, high schools, and colleges, that receive funds via programs administered by the U.S. Department of Education. FERPA Provides the following definition:
”34 CFR 99.3 “Education program” means any program that is principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution.
Institutions are responsible for confirming that all of their school complies with FERPA. Failure to comply could ultimately lead to withholding funds administered by the Secretary of Education.
Like HIPAA, FERPA defines information that can be used to identify an individual. HIPAA’s Protected Health Information (PHI) is similar to the FERPA Personally Identifiable Information (PII) concept.
Personally Identifiable Information includes, but is not limited to –
(a) The student’s name;
(b) The name of the student’s parent or other family members;
(c) The address of the student or student’s family;
(d) A personal identifier, such as the student’s social security number, student number, or biometric record;
(e) Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name;
(f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
(g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.
FERPA makes it clear that DNA and other biometric identifiers are protected, providing:
”Biometric record, as used in the definition of personally identifiable information, means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting.”
Additional information on PII is available in the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, and in the PTAC publication Checklist: Data Governance
Permitted Disclosures under FERPA vs. HIPAA
FERAPA only Permits Disclosure for Treatment, Payment, and “Legitimate Educational Interests” Purposes. Under FERPA, “treatment records” must be made, maintained, and used only in connection with treatment (see 34 C.F.R. 99.3). Such records may be disclosed to health care professionals who are not part of or acting on behalf of a school only when the is for treatment. Records may also be disclosed for billing. In that case, they are “education records” and, unless another FERPA exception applies, cannot be disclosed without the prior written consent of the parent or eligible student (meaning a student who reaches the age of 18 or attends a postsecondary institution).
A FERPA expert can assist in determining whether a school shared only permitted information, including health and medical information, without prior written consent with teachers and other school officials only they had “legitimate educational interests” in the information pursuant to FERPA regulations and the school’s annual notification of FERPA rights.
According to the CDC, FERPA allows schools to disclose information from a student’s education record, without consent, to the following parties or under the following conditions:
- School officials with legitimate educational interest
- Other schools to which a student is transferring
- Specified officials for audit or evaluation purposes
- Appropriate parties in connection with financial aid to a student
- Organizations conducting certain studies for, or on behalf of, the school
- Accrediting organizations
- Appropriate officials in cases of health and safety emergencies
- State and local authorities, within a juvenile justice system, pursuant to specific state law
- To comply with a judicial order or lawfully issued subpoena (see CDC website regarding FERPA (see the federal CDC website regarding FERPA).
HIPAA Disclosures Compared to FERPA Disclosures
HIPAA permits disclosures to a health plan for payment purposes without the individual’s prior written consent, and for other purposes as permitted under the HIPAA regulations and in accordance with the covered entity’s notice of privacy practices. The HIPAA Notice of Privacy Practices is similar to the provision in FERPA which is the “annual notification of FERPA rights.”
HIPAA and FERPA both Have De-Identification Standards
FERPA permits disclosures if the PII is De-Identified. HIPAA has similar provisions.
FERPA Expert Assessment of Risk Avoidance and Compliance
If an organization is suspected of unauthorized disclosures of PII, enforcement agencies may request “reports, information on policies and procedures, annual notifications, training materials, or other information necessary to carry out the Office’s enforcement responsibilities under the Act or this part.”